fix(nftables): allow DHCP/DNS and forwarding for libvirt virbr0

The host firewall has policy=drop on both input and forward chains.
libvirt creates its own nftables table for virbr0 NAT, but:

  1. It does not touch the input chain at all, so DHCP packets from
     guests (UDP/67) are dropped before reaching dnsmasq. Result:
     Windows guest stuck on 169.254.x APIPA forever.

  2. Its forward-chain accepts have the same hook+priority as ours.
     In nftables, all chains at a hook+priority must accept (any drop
     wins), so our policy=drop would block guest egress and return
     traffic even though libvirt's chain explicitly accepts.

Add minimal carve-outs for virbr0: DHCP+DNS in input, guest egress
and return traffic in forward.

0 files changed, 0 insertions, 0 deletions